Introduced struct ecc_modulo.

ChangeLog

+2014-09-22  Niels Möller  <nisse@lysator.liu.se>
+
+	* ecc-internal.h (struct ecc_modulo): New struct, collecting
+	constants needed for modulo arithmetic.
+	(struct ecc_curve): Use struct ecc_modulo for p and q arithmetic.
+	Updated all ecc-related files.
+
 2014-09-17  Niels Möller  <nisse@lysator.liu.se>
 
 	* gmp-glue.c (mpn_get_base256_le): Fixed missing update of rn

curve25519-eh-to-x.c

@@ -46,11 +46,11 @@ void
 curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
 		    mp_limb_t *scratch)
 {
-#define vp (p + ecc->size)
-#define wp (p + 2*ecc->size)
+#define vp (p + ecc->p.size)
+#define wp (p + 2*ecc->p.size)
 #define t0 scratch
-#define t1 (scratch + ecc->size)
-#define t2 (scratch + 2*ecc->size)
+#define t1 (scratch + ecc->p.size)
+#define t2 (scratch + 2*ecc->p.size)
 
   const struct ecc_curve *ecc = &nettle_curve25519;  
   mp_limb_t cy;
@@ -71,8 +71,8 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
   ecc_modp_add (ecc, t0, wp, vp);
   ecc_modp_mul (ecc, t2, t0, t1);
 
-  cy = mpn_sub_n (xp, t2, ecc->p, ecc->size);
-  cnd_copy (cy, xp, t2, ecc->size);
+  cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
+  cnd_copy (cy, xp, t2, ecc->p.size);
 #undef vp
 #undef wp
 #undef t0

curve25519-mul-g.c

@@ -49,23 +49,23 @@ curve25519_mul_g (uint8_t *r, const uint8_t *n)
   mp_limb_t *scratch;
   mp_size_t itch;
 
-#define p scratch
-#define x (scratch + 3*ecc->size)
-#define scratch_out (scratch + 4*ecc->size)
+#define ng scratch
+#define x (scratch + 3*ecc->p.size)
+#define scratch_out (scratch + 4*ecc->p.size)
   
   memcpy (t, n, sizeof(t));
   t[0] &= ~7;
   t[CURVE25519_SIZE-1] = (t[CURVE25519_SIZE-1] & 0x3f) | 0x40;
 
-  itch = 4*ecc->size + ecc->mul_g_itch;
+  itch = 4*ecc->p.size + ecc->mul_g_itch;
   scratch = gmp_alloc_limbs (itch);
 
-  mpn_set_base256_le (x, ecc->size, t, CURVE25519_SIZE);
+  mpn_set_base256_le (x, ecc->p.size, t, CURVE25519_SIZE);
 
-  ecc_mul_g_eh (ecc, p, x, scratch_out);
-  curve25519_eh_to_x (x, p, scratch_out);
+  ecc_mul_g_eh (ecc, ng, x, scratch_out);
+  curve25519_eh_to_x (x, ng, scratch_out);
 
-  mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc->size);
+  mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc->p.size);
   gmp_free_limbs (scratch, itch);
 #undef p
 #undef x

curve25519-mul.c

@@ -54,30 +54,30 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
      overlap C, D, and CB overlap A, D. And possibly reusing some of
      x2, z2, x3, z3. */
 #define x1 scratch
-#define x2 (scratch + ecc->size)
-#define z2 (scratch + 2*ecc->size)
-#define x3 (scratch + 3*ecc->size)
-#define z3 (scratch + 4*ecc->size)
-
-#define A  (scratch + 5*ecc->size)
-#define B  (scratch + 6*ecc->size)
-#define C  (scratch + 7*ecc->size)
-#define D  (scratch + 8*ecc->size)
-#define AA  (scratch + 9*ecc->size)
-#define BB  (scratch +10*ecc->size)
-#define E  (scratch + 10*ecc->size) /* Overlap BB */
-#define DA  (scratch + 9*ecc->size) /* Overlap AA */
-#define CB  (scratch + 10*ecc->size) /* Overlap BB */
-
-  itch = ecc->size * 12;
+#define x2 (scratch + ecc->p.size)
+#define z2 (scratch + 2*ecc->p.size)
+#define x3 (scratch + 3*ecc->p.size)
+#define z3 (scratch + 4*ecc->p.size)
+
+#define A  (scratch + 5*ecc->p.size)
+#define B  (scratch + 6*ecc->p.size)
+#define C  (scratch + 7*ecc->p.size)
+#define D  (scratch + 8*ecc->p.size)
+#define AA  (scratch + 9*ecc->p.size)
+#define BB  (scratch +10*ecc->p.size)
+#define E  (scratch + 10*ecc->p.size) /* Overlap BB */
+#define DA  (scratch + 9*ecc->p.size) /* Overlap AA */
+#define CB  (scratch + 10*ecc->p.size) /* Overlap BB */
+
+  itch = ecc->p.size * 12;
   scratch = gmp_alloc_limbs (itch);
 
-  mpn_set_base256_le (x1, ecc->size, p, CURVE25519_SIZE);
+  mpn_set_base256_le (x1, ecc->p.size, p, CURVE25519_SIZE);
 
   /* Initialize, x2 = x1, z2 = 1 */
-  mpn_copyi (x2, x1, ecc->size);
+  mpn_copyi (x2, x1, ecc->p.size);
   z2[0] = 1;
-  mpn_zero (z2+1, ecc->size - 1);
+  mpn_zero (z2+1, ecc->p.size - 1);
 
   /* Get x3, z3 from doubling. Since bit 254 is forced to 1. */
   ecc_modp_add (ecc, A, x2, z2);
@@ -93,7 +93,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
     {
       int bit = (n[i/8] >> (i & 7)) & 1;
 
-      cnd_swap (bit, x2, x3, 2*ecc->size);
+      cnd_swap (bit, x2, x3, 2*ecc->p.size);
 
       /* Formulas from draft-turner-thecurve25519function-00-Mont. We
 	 compute new coordinates in memory-address order, since mul
@@ -118,7 +118,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
       ecc_modp_sqr (ecc, DA, C);
       ecc_modp_mul (ecc, z3, DA, x1);
 
-      cnd_swap (bit, x2, x3, 2*ecc->size);
+      cnd_swap (bit, x2, x3, 2*ecc->p.size);
     }
   /* Do the 3 low zero bits, just duplicating x2 */
   for ( ; i >= 0; i--)
@@ -134,9 +134,9 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
     }
   ecc_modp_inv (ecc, x3, z2, z3);
   ecc_modp_mul (ecc, z3, x2, x3);
-  cy = mpn_sub_n (x2, z3, ecc->p, ecc->size);
-  cnd_copy (cy, x2, z3, ecc->size);
-  mpn_get_base256_le (q, CURVE25519_SIZE, x2, ecc->size);
+  cy = mpn_sub_n (x2, z3, ecc->p.m, ecc->p.size);
+  cnd_copy (cy, x2, z3, ecc->p.size);
+  mpn_get_base256_le (q, CURVE25519_SIZE, x2, ecc->p.size);
 
   gmp_free_limbs (scratch, itch);
   return 1;

ecc-192.c

@@ -112,13 +112,28 @@ ecc_192_modp (const struct ecc_curve *ecc UNUSED, mp_limb_t *rp)
 
 const struct ecc_curve nettle_secp_192r1 =
 {
-  192,
-  ECC_LIMB_SIZE,
-  ECC_BMODP_SIZE,
-  192,
-  ECC_BMODQ_SIZE,
+  {
+    192,
+    ECC_LIMB_SIZE,
+    ECC_BMODP_SIZE,
+    ECC_REDC_SIZE,
+    ecc_p,
+    ecc_Bmodp,
+    ecc_Bmodp_shifted,    
+    ecc_redc_ppm1,
+  },
+  {
+    192,
+    ECC_LIMB_SIZE,
+    ECC_BMODQ_SIZE,
+    0,
+    ecc_q,
+    ecc_Bmodq,
+    ecc_Bmodq_shifted,
+    NULL,
+  },
+  
   USE_REDC,
-  ECC_REDC_SIZE,
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
@@ -137,18 +152,11 @@ const struct ecc_curve nettle_secp_192r1 =
   ecc_mul_g,
   ecc_j_to_a,
 
-  ecc_p,
   ecc_b,
-  ecc_q,
   ecc_g,
   NULL,
-  ecc_Bmodp,
-  ecc_Bmodp_shifted,
   ecc_pp1h,
-  ecc_redc_ppm1,
   ecc_unit,
-  ecc_Bmodq,
-  ecc_Bmodq_shifted,
   ecc_qp1h,
   ecc_table
 };

ecc-224.c

@@ -64,13 +64,28 @@ ecc_224_modp (const struct ecc_curve *ecc, mp_limb_t *rp);
 
 const struct ecc_curve nettle_secp_224r1 =
 {
-  224,
-  ECC_LIMB_SIZE,    
-  ECC_BMODP_SIZE,
-  224,
-  ECC_BMODQ_SIZE,
+  {
+    224,
+    ECC_LIMB_SIZE,    
+    ECC_BMODP_SIZE,
+    -ECC_REDC_SIZE,
+    ecc_p,
+    ecc_Bmodp,
+    ecc_Bmodp_shifted,
+    ecc_redc_ppm1,
+  },
+  {
+    224,
+    ECC_LIMB_SIZE,    
+    ECC_BMODQ_SIZE,
+    0,
+    ecc_q,
+    ecc_Bmodq,
+    ecc_Bmodq_shifted,
+    NULL,
+  },
+  
   USE_REDC,
-  ECC_REDC_SIZE,
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
@@ -89,18 +104,11 @@ const struct ecc_curve nettle_secp_224r1 =
   ecc_mul_g,
   ecc_j_to_a,
 
-  ecc_p,
   ecc_b,
-  ecc_q,
   ecc_g,
   NULL,
-  ecc_Bmodp,
-  ecc_Bmodp_shifted,
   ecc_pp1h,
-  ecc_redc_ppm1,
   ecc_unit,
-  ecc_Bmodq,
-  ecc_Bmodq_shifted,
   ecc_qp1h,
   ecc_table
 };

ecc-25519.c

@@ -87,17 +87,17 @@ ecc_25519_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
   for (n = ECC_LIMB_SIZE; n-- > 0;)
     {
       cy = mpn_submul_1 (rp + n,
-			 ecc->Bmodq_shifted, ECC_LIMB_SIZE,
+			 ecc->q.B_shifted, ECC_LIMB_SIZE,
 			 rp[n + ECC_LIMB_SIZE]);
       /* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */
       assert (cy < 2);
-      cnd_add_n (cy, rp+n, ecc->q, ECC_LIMB_SIZE);
+      cnd_add_n (cy, rp+n, ecc->q.m, ECC_LIMB_SIZE);
     }
 
-  cy = mpn_submul_1 (rp, ecc->q, ECC_LIMB_SIZE,
+  cy = mpn_submul_1 (rp, ecc->q.m, ECC_LIMB_SIZE,
 		     rp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS));
   assert (cy < 2);
-  cnd_add_n (cy, rp, ecc->q, ECC_LIMB_SIZE);
+  cnd_add_n (cy, rp, ecc->q.m, ECC_LIMB_SIZE);
 }
 
 /* Needs 2*ecc->size limbs at rp, and 2*ecc->size additional limbs of
@@ -200,8 +200,8 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap)
   ecc_modp_mul (ecc, xp, t0, ap); /* a^{(p+3)/8 */
   ecc_modp_mul (ecc, bp, t0, xp); /* a^{(p-1)/4} */
   /* Check if b == 1 (mod p) */
-  if (mpn_cmp (bp, ecc->p, ECC_LIMB_SIZE) >= 0)
-    mpn_sub_n (bp, bp, ecc->p, ECC_LIMB_SIZE);
+  if (mpn_cmp (bp, ecc->p.m, ECC_LIMB_SIZE) >= 0)
+    mpn_sub_n (bp, bp, ecc->p.m, ECC_LIMB_SIZE);
   if (mpn_cmp (bp, ecc->unit, ECC_LIMB_SIZE) == 0)
     {
       mpn_copyi (rp, xp, ECC_LIMB_SIZE);
@@ -210,7 +210,7 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap)
   else
     {
       mpn_add_1 (bp, bp, ECC_LIMB_SIZE, 1);
-      if (mpn_cmp (bp, ecc->p, ECC_LIMB_SIZE) == 0)
+      if (mpn_cmp (bp, ecc->p.m, ECC_LIMB_SIZE) == 0)
 	{
 	  ecc_modp_mul (&nettle_curve25519, bp, xp, ecc_sqrt_z);
 	  mpn_copyi (rp, bp, ECC_LIMB_SIZE);
@@ -232,13 +232,28 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap)
 
 const struct ecc_curve nettle_curve25519 =
 {
-  255,
-  ECC_LIMB_SIZE,
-  ECC_BMODP_SIZE,
-  253,
-  ECC_BMODQ_SIZE,
+  {
+    255,
+    ECC_LIMB_SIZE,
+    ECC_BMODP_SIZE,
+    0,
+    ecc_p,
+    ecc_Bmodp,
+    ecc_Bmodp_shifted,
+    NULL,
+  },
+  {
+    253,
+    ECC_LIMB_SIZE,
+    ECC_BMODQ_SIZE,
+    0,
+    ecc_q,
+    ecc_Bmodq,  
+    ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */
+    NULL,
+  },
+
   0, /* No redc */
-  0,
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
@@ -257,18 +272,11 @@ const struct ecc_curve nettle_curve25519 =
   ecc_mul_g_eh,
   ecc_eh_to_a,
 
-  ecc_p,
   ecc_d, /* Use the Edwards curve constant. */
-  ecc_q,
   ecc_g,
   ecc_edwards,
-  ecc_Bmodp,
-  ecc_Bmodp_shifted,
   ecc_pp1h,
-  ecc_redc_ppm1,
   ecc_unit,
-  ecc_Bmodq,  
-  ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */ 
   ecc_qp1h,
   ecc_table
 };

ecc-256.c

@@ -75,12 +75,12 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
   mp_limb_t u1, u0;
   mp_size_t n;
 
-  n = 2*ecc->size;
+  n = 2*ecc->p.size;
   u1 = rp[--n];
   u0 = rp[n-1];
 
   /* This is not particularly fast, but should work well with assembly implementation. */
-  for (; n >= ecc->size; n--)
+  for (; n >= ecc->p.size; n--)
     {
       mp_limb_t q2, q1, q0, t, cy;
 
@@ -115,8 +115,8 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
 
       /* We multiply by two low limbs of p, 2^96 - 1, so we could use
 	 shifts rather than mul. */
-      t = mpn_submul_1 (rp + n - 4, ecc->p, 2, q1);
-      t += cnd_sub_n (q2, rp + n - 3, ecc->p, 1);
+      t = mpn_submul_1 (rp + n - 4, ecc->p.m, 2, q1);
+      t += cnd_sub_n (q2, rp + n - 3, ecc->p.m, 1);
       t += (-q2) & 0xffffffff;
 
       u0 = rp[n-2];
@@ -124,7 +124,7 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
       u0 -= t;
       t = (u1 < cy);
       u1 -= cy;
-      u1 += cnd_add_n (t, rp + n - 4, ecc->p, 3);
+      u1 += cnd_add_n (t, rp + n - 4, ecc->p.m, 3);
       u1 -= (-t) & 0xffffffff;
     }
   rp[2] = u0;
@@ -137,12 +137,12 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
   mp_limb_t u2, u1, u0;
   mp_size_t n;
 
-  n = 2*ecc->size;
+  n = 2*ecc->q.size;
   u2 = rp[--n];
   u1 = rp[n-1];
 
   /* This is not particularly fast, but should work well with assembly implementation. */
-  for (; n >= ecc->size; n--)
+  for (; n >= ecc->q.size; n--)
     {
       mp_limb_t q2, q1, q0, t, c1, c0;
 
@@ -196,9 +196,9 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
 
       assert (q2 < 2);
 
-      c0 = cnd_sub_n (q2, rp + n - 3, ecc->q, 1);
-      c0 += (-q2) & ecc->q[1];
-      t = mpn_submul_1 (rp + n - 4, ecc->q, 2, q1);
+      c0 = cnd_sub_n (q2, rp + n - 3, ecc->q.m, 1);
+      c0 += (-q2) & ecc->q.m[1];
+      t = mpn_submul_1 (rp + n - 4, ecc->q.m, 2, q1);
       c0 += t;
       c1 = c0 < t;
       
@@ -213,7 +213,7 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
       u1 += t;
       u2 += (t<<32) + (u0 < t);
 
-      t = cnd_add_n (t, rp + n - 4, ecc->q, 2);
+      t = cnd_add_n (t, rp + n - 4, ecc->q.m, 2);
       u1 += t;
       u2 += (u1 < t);
     }
@@ -227,13 +227,28 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
 
 const struct ecc_curve nettle_secp_256r1 =
 {
-  256,
-  ECC_LIMB_SIZE,    
-  ECC_BMODP_SIZE,
-  256,
-  ECC_BMODQ_SIZE,
+  {
+    256,
+    ECC_LIMB_SIZE,    
+    ECC_BMODP_SIZE,
+    ECC_REDC_SIZE,
+    ecc_p,
+    ecc_Bmodp,
+    ecc_Bmodp_shifted,
+    ecc_redc_ppm1,
+  },
+  {
+    256,
+    ECC_LIMB_SIZE,    
+    ECC_BMODQ_SIZE,
+    0,
+    ecc_q,
+    ecc_Bmodq,
+    ecc_Bmodq_shifted,
+    NULL,
+  },
+
   USE_REDC,
-  ECC_REDC_SIZE,
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
@@ -252,18 +267,11 @@ const struct ecc_curve nettle_secp_256r1 =
   ecc_mul_g,
   ecc_j_to_a,
 
-  ecc_p,
   ecc_b,
-  ecc_q,
   ecc_g,
   NULL,
-  ecc_Bmodp,
-  ecc_Bmodp_shifted,
   ecc_pp1h,
-  ecc_redc_ppm1,
   ecc_unit,
-  ecc_Bmodq,
-  ecc_Bmodq_shifted,
   ecc_qp1h,
   ecc_table
 };

ecc-384.c

@@ -140,7 +140,7 @@ ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
   cy = sec_add_1 (rp + 5, rp + 5, 1, cy);
   assert (cy <= 1);
 
-  cy = cnd_add_n (cy, rp, ecc->Bmodp, ECC_LIMB_SIZE);
+  cy = cnd_add_n (cy, rp, ecc->p.B, ECC_LIMB_SIZE);
   assert (cy == 0);  
 }
 #else
@@ -149,13 +149,28 @@ ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
   
 const struct ecc_curve nettle_secp_384r1 =
 {
-  384,
-  ECC_LIMB_SIZE,    
-  ECC_BMODP_SIZE,
-  384,
-  ECC_BMODQ_SIZE,
+  {
+    384,
+    ECC_LIMB_SIZE,    
+    ECC_BMODP_SIZE,
+    ECC_REDC_SIZE,
+    ecc_p,
+    ecc_Bmodp,
+    ecc_Bmodp_shifted,
+    ecc_redc_ppm1,
+  },
+  {
+    384,
+    ECC_LIMB_SIZE,    
+    ECC_BMODQ_SIZE,
+    0,
+    ecc_q,
+    ecc_Bmodq,
+    ecc_Bmodq_shifted,
+    NULL,
+  },
+
   USE_REDC,
-  ECC_REDC_SIZE,
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
@@ -174,18 +189,11 @@ const struct ecc_curve nettle_secp_384r1 =
   ecc_mul_g,
   ecc_j_to_a,
 
-  ecc_p,
   ecc_b,
-  ecc_q,
   ecc_g,
   NULL,
-  ecc_Bmodp,
-  ecc_Bmodp_shifted,
   ecc_pp1h,
-  ecc_redc_ppm1,
   ecc_unit,
-  ecc_Bmodq,
-  ecc_Bmodq_shifted,
   ecc_qp1h,
   ecc_table
 };

ecc-521.c

@@ -77,13 +77,28 @@ ecc_521_modp (const struct ecc_curve *ecc UNUSED, mp_limb_t *rp)
 
 const struct ecc_curve nettle_secp_521r1 =
 {
-  521,
-  ECC_LIMB_SIZE,    
-  ECC_BMODP_SIZE,
-  521,
-  ECC_BMODQ_SIZE,
+  {
+    521,
+    ECC_LIMB_SIZE,    
+    ECC_BMODP_SIZE,
+    ECC_REDC_SIZE,
+    ecc_p,
+    ecc_Bmodp,
+    ecc_Bmodp_shifted,
+    ecc_redc_ppm1,
+  },
+  {
+    521,
+    ECC_LIMB_SIZE,    
+    ECC_BMODQ_SIZE,
+    0,
+    ecc_q,
+    ecc_Bmodq,
+    ecc_Bmodq_shifted,
+    NULL,
+  },
+  
   USE_REDC,
-  ECC_REDC_SIZE,
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
@@ -102,18 +117,11 @@ const struct ecc_curve nettle_secp_521r1 =
   ecc_mul_g,
   ecc_j_to_a,
 
-  ecc_p,
   ecc_b,
-  ecc_q,
   ecc_g,
   NULL,
-  ecc_Bmodp,
-  ecc_Bmodp_shifted,
   ecc_pp1h,
-  ecc_redc_ppm1,
   ecc_unit,
-  ecc_Bmodq,
-  ecc_Bmodq_shifted,
   ecc_qp1h,
   ecc_table
 };

ecc-a-to-j.c

@@ -44,16 +44,16 @@ ecc_a_to_j (const struct ecc_curve *ecc,
 {
   if (ecc->use_redc)
     {
-      mpn_copyd (r + ecc->size, p, 2*ecc->size);
+      mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size);
 
-      mpn_zero (r, ecc->size);
+      mpn_zero (r, ecc->p.size);
       ecc->modp (ecc, r);
 
-      mpn_zero (r + ecc->size, ecc->size);
-      ecc->modp (ecc, r + ecc->size);
+      mpn_zero (r + ecc->p.size, ecc->p.size);
+      ecc->modp (ecc, r + ecc->p.size);
     }
   else if (r != p)
-    mpn_copyi (r, p, 2*ecc->size);
+    mpn_copyi (r, p, 2*ecc->p.size);
 
-  mpn_copyi (r + 2*ecc->size, ecc->unit, ecc->size);
+  mpn_copyi (r + 2*ecc->p.size, ecc->unit, ecc->p.size);
 }

ecc-add-eh.c

@@ -39,7 +39,7 @@
 mp_size_t
 ecc_add_eh_itch (const struct ecc_curve *ecc)
 {
-  return ECC_ADD_EH_ITCH (ecc->size);
+  return ECC_ADD_EH_ITCH (ecc->p.size);
 }
 
 /* Add two points on an Edwards curve, with result and first point in
@@ -50,15 +50,15 @@ ecc_add_eh (const struct ecc_curve *ecc,
 	    mp_limb_t *scratch)
 {
 #define x1 p
-#define y1 (p + ecc->size)
-#define z1 (p + 2*ecc->size)
+#define y1 (p + ecc->p.size)
+#define z1 (p + 2*ecc->p.size)